Date: Sun, 30 Oct 2005 22:37:40 +0100 From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Simon Barner <barner@FreeBSD.org> Cc: doc@FreeBSD.org Subject: Re: Please review: New vuln.xml entry for ports/mail/fetchmail Message-ID: <20051030213739.GA891@zaphod.nitro.dk> In-Reply-To: <20051030195007.GB1451@zi025.glhnet.mhn.de> References: <20051030195007.GB1451@zi025.glhnet.mhn.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--BXVAT5kNtrzKuDFl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2005.10.30 20:50:07 +0100, Simon Barner wrote: > could you please review the attached patch? Looks good, except for a few minor issues (see below). > Index: vuln.xml > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/ncvs/ports/security/vuxml/vuln.xml,v > retrieving revision 1.868 > diff -u -r1.868 vuln.xml > --- vuln.xml 27 Oct 2005 19:40:24 -0000 1.868 > +++ vuln.xml 30 Oct 2005 19:47:37 -0000 > @@ -34,6 +34,36 @@ > =20 > --> > <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">; > + <vuln vid=3D"baf74e0b-497a-11da-a4f4-0060084a00e5"> > + <topic>fetchmailconf -- password exposure through insecure file crea= tion</topic> This first part is the portname by convention. I would suggest the following to avoid getting the topic too long. <topic>fetchmail -- fetchmailconf local password exposure</topic> > + <affects> > + <package> > + <name>fetchmail</name> > + <range><lt>6.2.5.2_1</lt></range> > + </package> > + </affects> > + <description>=20 ^ EOL whitespace > + <body xmlns=3D"http://www.w3.org/1999/xhtml">; > + <p>From the fetchmail home page:</p> > + <blockquote cite=3D"http://fetchmail.berlios.de/fetchmail-SA-2005-02.tx= t"> > + <p>The fetchmailconf program before and excluding version 1.49 opened= the > + run control file, wrote the configuration to it, and only then chan= ged > + the mode to 0600 (rw-------). Writing the file, which usually conta= ins > + passwords, before making it unreadable to other users, can expose > + sensitive password information.</p> > + </blockquote> > + </body> > + </description> > + <references> > + <cvename>CVE-2005-3088</cvename> > + <url>http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt</url>; > + </references> > + <dates> > + <discovery>2005-10-21</discovery> > + <entry>2005-10-30</entry> > + </dates> > + </vuln> > + =20 ^^ EOL whitespace > <vuln vid=3D"1daea60a-4719-11da-b5c6-0004614cc33d"> > <topic>ruby -- vulnerability in the safe level settings</topic> > <affects> --=20 Simon L. Nielsen FreeBSD Security Team --BXVAT5kNtrzKuDFl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDZT0jh9pcDSc1mlERAiFUAJ96OJqONHmBL++Ljog8rxAQr4gS1wCfa1Pw 5y/nVvA4RdNI9TakhQiCed0= =pxNT -----END PGP SIGNATURE----- --BXVAT5kNtrzKuDFl--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051030213739.GA891>